elk 这套日志 最近报错 无效索引要小写,求指导

8 天前
 pol
[2024-10-17T16:43:21,934][ERROR][logstash.outputs.elasticsearch][audit][9b837e55c8099cbb5d15de6e33ff7d57678ffc02f082744561c30f21c7610c3c] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", :routing=>nil}, {"@timestamp"=>2024-10-17T08:43:21.696Z, "logstash_destination"=>"10ip 打码 90:9889", "host"=>"1ip 打码 97", "logger_name"=>"cn.com.safeware.common.logback.GlobalTraceLogIdSetting", "thread_name"=>"http-nio-9040-exec-159", "type"=>"logback", "env"=>"test", "level_value"=>20000, "traceId"=>"369b8faa9ae54e9ea79c241236670b97", "level"=>"INFO", "app_name"=>"erp", "server_name"=>"api-web", "port"=>33726, "@version"=>"1", "message"=>"请求方式 : POST"}], :response=>{"index"=>{"_index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17], must be lowercase", "index_uuid"=>"_na_", "index"=>"asr-test-%{[appName]}-%{[serverName]}.log-2024.10.17"}}}}

上面是报错日志,接下来看我 logstash 的配置

 cat logstash-audit.conf
input {
  beats {
    port => 5044
  }

  tcp {  
    port => 9889
    codec => json
  }
}

filter {
    if [stack_trace] {
      mutate {
            update => { "message" => "%{[message]}%{[stack_trace]}" }
        }
    }
}

output {
  if "erp" in [tags] {
     elasticsearch {
        hosts => [ "17ip 打码 900" ]
        index => "erp-log%{+YYYY.MM.dd}"
     }
  }
else if "node167" in [tags] {
         elasticsearch {
                hosts => [ "17ip 打码 90" ]
                index => "ecow-log%{+YYYY.MM.dd}"
     }
  }
else if "app" in [tags] {
     elasticsearch {
                hosts => [ "1ip 打码 9200" ]
                index => "app-log%{+YYYY.MM.dd}"
     }
  }
else if "app_name" == "seata-server" {
    elasticsearch {
      hosts => ["http://1ip 打码 9200"]
      index => "pro-seata-server.log-%{+YYYY.MM.dd}"
    }
 }
else {
    elasticsearch {
      hosts => ["http://17ip 打码 9200"]
      index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
    }
 }
}

报错影响的应该是这行配置

else {
    elasticsearch {
      hosts => ["http://17ip 打码 9200"]
      index => "asr-%{[env]}-%{[appName]}-%{[serverName]}.log-%{+YYYY.MM.dd}" 
    }

可以看到我这里使用了三个变量,这里我保证这 3 个变量拿到的值一定是全小写 请问这里是什么问题,有没有知道的,或者提供下思路

206 次点击
所在节点    日志处理
0 条回复

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/1081261

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX